How is malware, specifically XMRig, hidden in Docker images?

I'm not in the cybersecurity field, I'm just curious about how these miners are hidden in the Docker images that we pull from Dockerhub.

My initial guess was that some of the binaries in the image are tampered with to hide the processes being executed, for example tampering "ps" or "ls". But this seemed like a pointless approach because the user could install other tools that would reveal the processes.

I don't want to list my whole noob thought process …

cybersecurity docker dockerhub hidden hide image images malware miners processes tampering xmrig